thanks :)
----- Original Message -----
From: [EMAIL PROTECTED]
To: CF-Talk
Sent: Friday, February 27, 2004 3:04 PM
Subject: RE: Protect action pages
if I save your page to my hardrive and edit the 'hidden' action field, could I possibly guess how to delete a record or table?
Douglas Knudsen (Telecommuting)
ACI RRT Group
"Let your hook be always cast. In the pool where you least expect it, will be fish."
-Ovid
-----Original Message-----
From: brobborb [mailto:[EMAIL PROTECTED]
Sent: Fri 2/27/2004 3:47 PM
To: CF-Talk
Cc:
Subject: Re: Protect action pages
I wrap my action pages in a CFSWITCH.
fAll of the values in my cases are names of certain actions, such as "update" or "delete" or "Send order".
On every form sent is a hidden field named "action". So, if there is no form.action variable present, then it gives them a custom error or forwards them soemwhere else. u think this will help?
----- Original Message -----
From: Stan Winchester
To: CF-Talk
Sent: Friday, February 27, 2004 2:09 PM
Subject: Protect action pages
I want to protect action pages from unauthorized forms that are not on the
same server, namely spammers. I wrote this simple script that will work in
conjunction with my other form validation scripts to ensure a referrer comes
from the same CGI.HTTP_HOST.
<cftry>
<cfscript>
message = "";
errors = 0;
if ( NOT FindNoCase(CGI.HTTP_HOST,CGI.HTTP_REFERER) ) {
message = "You cannot access this page";
errors = 1;
}
</cfscript>
<cfif errors EQ 1 >
<cfthrow message="#message#" type="goBack">
</cfif>
<cfcatch type="Any">
<cfoutput>
<h3>#message#</h3>
</cfoutput>
</cfcatch>
</cftry>
Does anyone see any holes that I should address, or is there a better
solution?
Thank you,
Aftershock Web Design, Inc.
by: Stan Winchester
President/Developer
[EMAIL PROTECTED]
http://www.aftershockweb.com/
Tel. 503-244-3440
Fax 503-244-3454
_____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
